Privileges

You can manage who can do what with your Coveo Cloud organization by assigning access levels on privileges when you define groups or API keys (see Groups - Page and API Keys - Page). See which access levels are available for each privileges in the tables below.

In the Coveo Cloud V2 administration console, privileges are grouped by service. Group members that are granted an access level for privilege typically gain access to one or more related administration console main menu pages and related API calls. For most privileges, the available access levels are View and Edit. Members with the View access level on a privilege can only review the configuration of a resource. To edit the configuration and access the child panels of a main menu page, the Edit access level is usually required. Similarly, the ability to create new resources is automatically granted with the Edit access level, unless, for Sources, you opt for a Custom access level, in which case you can choose whether to grant it or not (see Custom).

  • Although most privilege names may be similar to the options in the Coveo Cloud V2 administration console navigation menu, a View or Edit access level on a privilege alone is not necessarily sufficient to view or edit the corresponding page content. Other privileges may be required to view or edit the content of an administration console page. See the Required Privileges section at the bottom of the documentation page corresponding to the desired administration console page for a list of all required privileges.

  • The minimal privilege to allow members of a group to access any Coveo Cloud administration console main menu page is the Organization privilege from the Organization service (see Organization Privilege).

    When your Coveo Cloud organization members do not have the minimal View access level on the Organization privilege and try to log in to the Coveo Cloud V2 administration console, they get the following message:

    Insufficient privileges

    You currently have insufficient privileges to access the Coveo Cloud administration console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Cloud administration console.

The API keys, Sources, and Groups privileges offer the Custom access level option, which allows you to grant each API key, source, or group its own access level (see Privileges, Sources Privilege, and Groups Privilege). For instance, you could grant your SharePoint Administrators group the Edit access level for your SharePoint sources, but only the View level for the other sources in the organization. Moreover, when you select the Custom access level option for Sources, you can decide whether the grantee (group or API key) should also be able to create new API keys or sources, respectively.

  • The Administrators group cannot be deleted, and its privileges cannot be edited (see Delete a Group). You can however duplicate the Administrators group, and then edit the desired parameters for the new group (see Duplicate a Group).

  • Privileges have nothing to do with view permissions on source items (see Coveo Cloud V2 Management of Security Identities and Item Permissions). Coveo Cloud organization privileges allow you to control who can do what through the Coveo Cloud administration console or API, while permissions on source items, dependent on your source configuration, determine which end-users can see what items in search results.

  • When you edit the privileges of a group or an API key, your options may vary. For each privilege, the access levels you can grant depend on the access level you have yourself, as well as the level that was last saved (see Groups and API Keys). In short, the list of access levels from which you can choose generally consists of the last saved access level, the access level you have, and the access levels of lesser importance than those.

    The following table summarizes the available access levels in each scenario, assuming you have the Edit access level for the group or API key of which you want to edit the privileges:

    Access level you have Last saved access level Access levels you can grant the group or API key
    None None N/A (you cannot change the access level)
    None View all None or View all
    None Custom None, View all, or Custom1
    None Edit all None, View all, or Edit all
    View all None or View all None or View all
    View all Custom None, View all, or Custom
    View all Edit all None, View all, or Edit all
    Custom None, View all, or Custom None, View all, or Custom
    Custom Edit all None, View all, Custom, or Edit all
    Edit all Any None, View all, Custom, or Edit all

    Note 1: In this scenario, albeit with Custom selected, you cannot view the list of sources available in the organization, as you do not have the View all access level on Sources (see Sources privilege).

    This table also applies for privileges that do not offer the Custom access level option, such as Fields (see Fields privilege).

    You are allowed to edit the Content Viewers group. This group has the View all access level for the Fields privilege, while you have Edit all. When changing the group’s access level for this privilege, you can choose from your access level, those of lesser importance, and the original group’s access level, i.e., Edit all, View all, or no access at all.

When a user is a member of groups that have conflicting privilege access levels, the highest granted access level applies.

John Smith is a member of the Analytics Viewers and the custom-made Limited Administrators groups. The following table shows an excerpt of the privileges granted to both groups.

Service Name Analytics Viewers access levels Limited Administrators access levels
Analytics Administrate

(None)

Enable
Analytics data View Edit
Data Exports View Edit

Dimensions

View Edit
Impersonate Enable (None)

Since the first four privilege access levels granted to the Limited Administrators group are of a higher level than those granted to the Analytics Viewers group, these Limited Administrators privilege access levels apply to John Smith. Therefore, John Smith can edit dimensions, for instance, even though he is also in the Analytics Viewers group, which is not allowed to perform dimension edits.

As for the Impersonate privilege, however, the Analytics Viewers group has the Enable access level while the Limited Administrators group does not. Consequently, John Smith is granted the Enable access level.

The following tables shows the resulting privileges granted to John Smith.

Service Name John Smith's access levels
Analytics Administrate

Enable

Analytics data Edit
Data Exports Edit

Dimensions

Edit
Impersonate Enable

The following sections correspond the services and privileges displayed in the Privilege tab you see when creating or editing a group or an API key (see Groups - Page and API Keys - Page). They present the abilities that come with each access level option for a privilege. For each privilege, the Typical grantees column shows which of the built-in groups are granted each level by default: Administrators, Analytics Managers, Analytics Viewers, Content Managers, Relevance Managers, and Users (see About Coveo Cloud V2 User Management). See also About Coveo Cloud V2 User Management for a list of the default access levels granted to each built-in role.

Analytics Service

Administrate Privilege

Access level Grantee abilities Typical grantees
Enable
  • Manage the organization usage analytics data:

    • Add and delete test usage analytics data in the account

    • Edit, get, delete, and disable the organization account

  • Define IP addresses whose events are flagged as internal (see Administration API - Version 15 and Specify Internal IPs)

  • Administrators

  • API keys

Analytics Data Privilege

Access level Grantee abilities Typical grantees
View
  • Analytics managers

  • Analytics viewers

  • Relevance managers

Push Send analytics events to the Coveo usage analytics service (see API Keys - Page) OAuth tokens, API keys, and search tokens assigned to a process such as a search interface
Push and view Administrators

Data Exports Privilege

The Data exports privilege access levels are ineffective without the View access level on the Analytics data privilege (see Analytics Data Privilege).

Access level Grantee abilities Typical grantees
View

View and download usage analytics data exports containing clicks, groups, keywords, searches, and custom events meeting the specified criteria for a specific date range (see Managing Data Exports)

Edit
  • Administrators

  • Analytics managers

  • Analytics viewers

  • Relevance managers

Dimensions Privilege

The Dimensions privilege access levels are ineffective without the View access level on the Analytics data privilege (see Analytics Data Privilege).

Access level Grantee abilities Typical grantees
View Analytics viewers
Edit

Add, edit, or delete dimensions created by Coveo Cloud organization members (see Managing Dimensions on Custom Metadata).

  • Administrators

  • Analytics managers

Impersonate Privilege

Access level Grantee abilities Typical grantees
Enable

Allow a custom process or bot to push usage analytics events with different identities.

  • Administrators

  • API keys

Named Filters Privilege

The Named filters privilege access levels are ineffective without the View access level on the Analytics data and Dimensions privileges (see Analytics Data Privilege and Dimensions Privilege).

Access level Grantee abilities Typical grantees
View

View named filters (see Managing Named Filters)

  • Analytics viewers

  • Users

Edit

Add, edit, or delete named filters (see Managing Named Filters)

  • Administrators

  • Analytics managers

  • Relevance managers

Permission Filters Privilege

The Permission filters privilege access levels are ineffective without the View access level on the Analytics data and Dimensions privileges (see Analytics Data Privilege and Dimensions Privilege).

Access level Grantee abilities Typical grantees
View

View permission filters restricting the usage analytics data that analysts can review in reports (see Managing Permission Filters)

Without the View access level, you cannot see the permissions filters that are assigned to your identity in reports.

  • Analytics viewers

  • Analytics managers

  • Relevance managers

  • Users

Edit

Add, edit, or delete permission filters (see Managing Permission Filters)

The Edit access level is ineffective without the View access level on the Groups privilege (see Groups Privilege).

Administrators

Reports Privilege

The Reports privilege access levels are ineffective without the View access level on the Analytics data and Dimensions privileges (see Analytics Data Privilege and Dimensions Privilege).

Access level Grantee abilities Typical grantees
View

View usage analytics reports (see Reviewing and Managing Dashboards and Reviewing and Managing Usage Analytics Explorers)

Analytics viewers
Edit

Add, edit, or delete usage analytics reports (see Managing Usage Analytics Reports)

The Edit access level is ineffective without the Enable access level on the Administrate privilege (see Administrate Privilege).

  • Administrators

  • Analytics managers

  • Relevance managers

Suggest Queries Privilege

Access level Grantee abilities Typical grantees
Enable

Allow a process such as a search interface to receive query suggestions from the Coveo Usage Analytics service (see About Usage Analytics Service Query Suggestions)

  • Administrators

  • API keys

View All Reports Privilege

Access level Grantee abilities Typical grantees
Enable

View all reports, regardless of report accesses (see Managing Usage Analytics Report Access in Reports). Members that do not have this access level can only review the reports they are explicitly allowed to access.

  • Administrators

  • Analytics managers

Content Service

Extensions Privilege

Access level Grantee abilities Typical grantees
View

View the code and usage statistics of available extensions assigned to sources. This is especially useful when troubleshooting cases such as item indexing issues (see Extensions - Page).

Edit

Add code snippets to apply transformations to included items such as adding or modifying metadata (see Extensions - Page). It is recommended to grant this privilege to developers only.

  • Administrators

  • Content managers

Fields Privilege

Access level Grantee abilities Typical grantees
View

View fields and field configuration (see Fields - Page)

Users
Edit
  • Administrators

  • API keys

  • Content managers

Security Identities Privilege

The Security identities privilege access levels are ineffective without the View access level on the Security identity providers privilege (see Security Identity Providers Privilege).

Access level Grantee abilities Typical grantees
View
  • View security identity provider update status, statistics, and refresh schedule (see Security Identities - Page)

  • View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics)

  • View the permissions and effective permissions on Coveo Cloud organization items (see Item Properties - Panel)

  • View security identities and their status inside each security provider

Edit

Only required by certain API calls (e.g., enable all disabled entities in security cache). Granting it to users or groups does not give them any additional capabilities.

Administrators

Security Identity Providers Privilege

Access level Grantee abilities Typical grantees
View
  • View security identity provider update status, statistics, and refresh schedule (see Security Identities - Page)

  • View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics)

  • View security identities and their status inside each security provider

Edit

Administrators

Sources Privilege

  • To review source content in the Content Browser, you must have the Enable access level on the Execute queries privilege (see Content Browser - Page and Execute Queries Privilege).

  • When a group has the View access level for some or all sources, the corresponding sources are grayed out in the Sources page (see Sources - Page).

  • Unlike for other resources, the ability to create sources can be granted without the Edit access level. When granting privileges, you can therefore grant a group or API key the View all or Custom access level for sources and check the Can Create checkbox to allow users to create sources.

Access level Grantee abilities Typical grantees
View all

Users

Custom1 View  
Edit  
Edit all
  • Administrators

  • API keys

  • Content managers

Note 1: See Custom Access Level.

Machine Learning Service

Models Privilege

You cannot view and edit Coveo Machine Learning models without the following access levels:

Access level Grantee abilities Typical grantees
View

Review the list of Coveo Machine Learning models inside the organization query pipelines (see Models - Page)

Edit

Add, edit, or delete query pipeline models, and thus optimize search results relevance and search experience in general (see Managing Coveo Machine Learning Automatic Relevance Tuning Models in a Query Pipeline, Managing Coveo Machine Learning Query Suggestions Models in a Query Pipeline, and Managing Coveo Machine Learning Event Recommendations Models in a Query Pipeline)

  • Administrators

  • Relevance managers

Organization Service

API Keys Privilege

  • This privilege is only available when configuring groups, as API keys cannot be granted access rights to view or edit other API keys (see Groups - Page).

  • When members of a group have the View access level for some or all API keys, the corresponding keys are grayed out in the API Keys page (see View and Edit).

Access level Grantee abilities Typical grantees
View all

View in read-only mode the configuration of all API keys (see API Keys - Page).

  • Content managers

  • Relevance managers

Custom1 View

View in read-only mode the configuration of specific API keys (see API Keys - Page).

 
Edit

Edit, delete, activate, and disable specific API keys (see API Keys - Page and Custom Access Levels)

 
Edit all

Add, edit, delete, activate, and disable all API keys (see API Keys - Page and Custom Access Levels)

Administrators

Note 1: See Custom Access Level.

Activities Privilege

Access level Grantee abilities Typical grantees
View

View all organization activities (see Activity Browser - Page)

A member with the View access level could see activities from administration console pages for which they are not granted any access levels.

  • Content managers

  • Relevance managers

Edit

Send custom activities to Coveo Cloud V2 (see Add/Edit Push Source - Panel)

  • Administrators

  • API keys

Elasticsearch Indexes Privilege

This privilege is only available in organizations with an Elasticsearch index (see Review the Product Name, Product Type, Product Edition, and Index Type).

Access level Grantee abilities Typical grantees
View

 

Edit

Administrators

Groups Privilege

Grant the Edit or Edit all access level for the Groups privilege only to a few people, ideally the authority in your company that manages access rights in corporate systems.

When members of a group have the View access level for some or all groups, the corresponding groups are grayed out in the Groups page (see View and Edit).

Access level Grantee abilities Typical grantees
View all

Analytics managers

Custom1 View

View groups, including their privileges (see Groups - Page)

  • Content managers

  • Relevance managers2

  • Users3

Edit
  • Relevance managers2

  • Users3

Edit all

Administrators

Note 1: See Custom Access Level.

Note 2: By default, members of the Relevance Managers built-in group can edit this group only. This allows them to invite other people in the Relevance Managers group, but not in other groups.

Note 3: By default, members of the Users built-in group can edit this group only. This allows them to invite other people in the Users group, but not in other groups.

Notifications Privilege

Access level Grantee abilities Typical grantees
View

View organization notifications (see Notifications - Page)

 

Edit

Edit and delete organization notifications (see Notifications - Page)

Administrators

On-Premises Organization Privilege

This privilege is required by the Coveo On-Premises Crawling Module API keys only (see Coveo On-Premises Crawling Module and API Keys - Page). Granting it to users or groups does not give them any additional capabilities.

Organization Privilege

Access level Grantee abilities Typical grantees
View

  • Access the Coveo Cloud administration console (see Coveo Cloud V2 Administration Console)

    Without the View access level, an organization member gets the following message when trying to log in to the administration console (see Logging in to Coveo Cloud V2):

    Insufficient Privileges - You currently have insufficient privileges to access the Coveo Cloud administration console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Cloud administration console.

  • View the organization status and license type (see Review the License Type).

  • Analytics managers

  • Analytics viewers

  • Content managers

  • Relevance managers

  • Users

Edit

Administrators

SAML Identity Provider Privilege

Access level Grantee abilities Typical grantees
View View SAML single sign-on settings (see Coveo Cloud V2 SAML SSO)  
Edit Configure SAML single sign-on for the organization and edit the single sign-on settings Administrators

Snapshots Privilege

Required to use an upcoming feature. Granting it to users or groups does not give them any additional capabilities yet.

Search Service

Execute Queries Privilege

Access level Grantee abilities Typical grantees
Enable

For organization members and API keys to send queries and get search results in search pages connected to their Coveo Cloud organization (see Searching with Coveo Cloud).

  • Administrators

  • API keys

  • Content managers

  • Users

Impersonate Privilege

Access level Grantee abilities Typical grantees
Enable

Obtain a search token for a search interface with secured content to perform queries with the end-user identity and return only results the user is authorized to see.

Anyone granted this privilege can impersonate any user and see in search results all the content accessible to this user.

  • Administrators

  • API keys

Modify Authentication Provider Privilege

Access level Grantee abilities Typical grantees
Enable

Manage authentication for secured sources such as when they are protected with SharePoint claims-based identities.

  • Administrators

  • API keys

Query Pipelines Privilege

You cannot view and edit Coveo Machine Learning models without the View access level on the Models (requires the Edit access level to manage models), Analytics data, and Dimensions privileges (see Privileges).

Access level Grantee abilities Typical grantees
View  
Edit

Optimize results relevance and search experience in general:

  • Administrators

  • Relevance managers

Salesforce Index Configuration Privilege

Access level Grantee abilities Typical grantees
View

Link a Coveo Cloud organization to a Salesforce organization that uses a Salesforce index.

 

  Administrators
Edit

Search Pages Privilege

Access level Grantee abilities Typical grantees
View

Access the search pages hosted by the Coveo Cloud organizations of which a user is a member

Users

Edit Administrators

View All Content Privilege

Access level Grantee abilities Typical grantees
Enable

Browse all the content of a Coveo Cloud organization index, and thus be able to troubleshoot search issues (see Content Browser - Page).

Anyone granted this privilege bypasses the content permissions, meaning they could see the content of items they do not normally have access to in the original systems.

Administrators